LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   I want to stop these particular messages in /var/log/messages (https://www.linuxquestions.org/questions/linux-security-4/i-want-to-stop-these-particular-messages-in-var-log-messages-729461/)

smartyshan 05-30-2009 02:36 AM
I want to stop these particular messages in /var/log/messages
 
Dear All,

More than 7 G bytes were logged to the messages file last three weeks

I got this message in /var/log/messages

I want to stop this messaging cause it takes to much space


SAMPLE:
Quote:
Apr 30 20:25:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:29:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:30:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:32:35 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.36 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:32:35 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:85:62:04:08:00 SRC=172.26.8.36 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=19082 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:34:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:34:11 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.37 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:34:11 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:86:12:04:08:00 SRC=172.26.8.37 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=17896 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:35:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:39:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:40:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:44:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:45:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:49:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:49:39 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.36 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:49:39 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:85:62:04:08:00 SRC=172.26.8.36 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=9615 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:50:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:3d:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:51:18 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.37 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:51:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:86:12:04:08:00 SRC=172.26.8.37 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=4395 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:54:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:55:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:59:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84

colucix 05-30-2009 02:54 AM
These are messages from the firewall (iptables). You can disable them editing the iptables rules, but I suggest to keep them in their own log file (e.g. /var/log/firewall) and establish a custom rule of logrotate to cycle them more often. See man syslog.conf and man logrotate for details.

smartyshan 05-30-2009 04:29 AM
Quote:
Originally Posted by colucix (Post 3557287)
These are messages from the firewall (iptables). You can disable them editing the iptables rules, but I suggest to keep them in their own log file (e.g. /var/log/firewall) and establish a custom rule of logrotate to cycle them more often. See man syslog.conf and man logrotate for details.
Dear Cloucix thanks for the hint, can we find some exceptions with the help of that we get rid of these messages?

repo 05-30-2009 04:40 AM
Quote:
can we find some exceptions with the help of that we get rid of these messages?
As told before, disable logging in the firewall itself.

smartyshan 05-30-2009 06:28 AM
Quote:
Originally Posted by repo (Post 3557337)
As told before, disable logging in the firewall itself.
Yes u r rite, But disabling is not an option,

What rule i should make to monitor traffic only from particular IPs and ignore all other
becoz all other IPs' logs are useless for me but filtering some pf IPs are necessary and we also want there logs

win32sux 05-30-2009 07:06 PM
Disabling the firewall's logging is overkill. It looks like it's mainly UDP packets for ports 123 and 10100 that are causing the excessive logging. You could insert some ACCEPT and/or DROP rules matching those packets at the top of the chains. That would put an end to this, and it lets you be very specific as to which packets you don't want to log. For example, if you want to disable logging only for locally generated UDP packets with destination port 123 on them which exit on eth1, you could execute either a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j ACCEPT
Or a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j DROP
...depending on whether you want to allow or deny the packet. Either command would prevent the packet from reaching whatever LOG rule it's currently hitting, and you can easily add more matches such as destination IP, for example.

smartyshan 05-31-2009 01:23 AM
Quote:
Originally Posted by win32sux (Post 3557772)
Disabling the firewall's logging is overkill. It looks like it's mainly UDP packets for ports 123 and 10100 that are causing the excessive logging. You could insert some ACCEPT and/or DROP rules matching those packets at the top of the chains. That would put an end to this, and it lets you be very specific as to which packets you don't want to log. For example, if you want to disable logging only for locally generated UDP packets with destination port 123 on them which exit on eth1, you could execute either a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j ACCEPT
Or a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j DROP
...depending on whether you want to allow or deny the packet. Either command would prevent the packet from reaching whatever LOG rule it's currently hitting, and you can easily add more matches such as destination IP, for example.
Thnx alot Win32sux... its very much clear to me now,

But kindly tell me also if i really want to exclude an IPs [172.26.16.16] and [172.26.16.28] from monitoring and/or logging, what should be the rule for this?

win32sux 05-31-2009 02:41 AM
Quote:
Originally Posted by smartyshan (Post 3557949)
Thnx alot Win32sux... its very much clear to me now,

But kindly tell me also if i really want to exclude an IPs [172.26.16.16] and [172.26.16.28] from monitoring and/or logging, what should be the rule for this?
It depends. Ideally, you'd want to create an exception right before the rule which currently sends the packet to the logging chain. This new rule would either ACCEPT/DROP/REJECT the packet, or send it to another chain which is set up differently than the logging one. That said, inserting a rule at the top of the chain would work just fine, and it would go like:
Code:
iptables -I INPUT -i eth1 -s 172.26.16.16 -j ACCEPT
iptables -I INPUT -i eth1 -s 172.26.16.28 -j ACCEPT
Change the target from ACCEPT to DROP if your objective is to filter packets with those source IPs.


All times are GMT -5. The time now is 03:57 AM.